Revision as of 02:39, 29 July 2009

Objective

This tech note outlines the main differences in the Switched Port Analyzer (SPAN) between Cisco® NX-OS Software and Cisco IOS® Software. Sample configurations are included for Cisco NX-OS and Cisco IOS Software for some common features to demonstrate the similarities and differences. Please refer to the NX-OS documentation on Cisco.com for a complete list of supported features.

SPAN Overview

The SPAN feature allows traffic to be mirrored from within a switch from a source port to a destination port. This feature is typically used when detailed packet information is required for troubleshooting, traffic analysis, and security-threat prevention.

Important Cisco NX-OS and Cisco IOS Software Differences

In Cisco NX-OS:

Only Local SPAN is supported.

Remote SPAN (RSPAN) VLANs can be configured only as SPAN sources.

18 monitor sessions can be configured. Only two sessions can be active simultaneously.

Cisco NX-OS uses a hierarchical configuration based on the monitor session <#> command, whereas Cisco IOS Software has the option for flat for hierarchical configuration in Cisco IOS Software Release 12.2(18)SXH and later.

A single SPAN session can include mixed sources (Ethernet ports, Ethernet PortChannels, RSPAN sources, VLANs, and the CPU control-plane interface).

Destination SPAN ports must be configured as Layer 2 ports with the switchport command.

The following list provides some additional facts about Cisco NX-OS that should be helpful when configuring the SPAN feature.

Two active SPAN sessions are supported for all virtual device contexts (VDCs).

Monitor sessions are disabled by default. They can be enabled with the no shut command.

The source traffic direction can be configured as rx, tx, or both. The default is both.

When a VLAN is specified as the source, traffic to and from the Layer 2 ports in the specified VLAN are sent to the destination.

The in-band control-plane interface to the CPU can be monitored only from the default VDC. (All VDC traffic is visible.)

By default, SPAN does not copy the IEEE 802.1q tag from trunk sources.

A destination port can be configured in switchport access or trunk mode. (Trunk mode allows you to tag traffic toward a destination or to perform destination VLAN filtering.)

A destination port does not participate in a spanning-tree instance.

A destination port can be configured in only one SPAN session at a time.

A port cannot be configured as both a source and destination port.

128 source interfaces can be configured per session.

32 source VLANs can be configured per session.

2 destination interfaces can be configured per session.

Configuration Comparison

The following sample code shows the configuration similarities and differences between the Cisco NX-OS and Cisco IOS Software command-line interfaces (CLIs). The Cisco IOS Software syntax shown here is from Cisco IOS Software Release 12.2(18)SXH, so its hierarchy is similar to that of as the Cisco NX-OS. Older versions of Cisco IOS Software support only a flat configuration.

Cisco IOS CLI

Cisco NX-OS CLI

Configuring the Destination Switchport Mode

Cisco IOS Software does not require any destination port configuration.

interface Ethernet2/2

switchport

switchport monitor

Configuring Destination Port Ingress Forwarding and Learning

monitor session 1 type local

destination interface Gi2/2 ingress learning

interface Ethernet2/2

switchport

switchport monitor ingress learning

Configuring a SPAN Monitor (Ethernet Source and Destination)

monitor session 1 type local

source interface Gi2/1

destination interface Gi2/2

monitor session 1

source interface Ethernet2/1 both

destination interface Ethernet2/2

no shut

Configuring a SPAN Monitor (VLAN Source)

monitor session 1 type local

source vlan 10 , 20

destination interface Gi2/2

monitor session 1

source vlan 10,20 both

destination interface Ethernet2/2

no shut

Filtering VLANs for IEEE 802.1q Trunk Sources

interface GigabitEthernet2/1

switchport

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 10-20

switchport mode trunk

monitor session 1 type local

filter vlan 15 - 20

source interface Gi2/1

destination interface Gi2/1

no shutdown

interface Ethernet2/1

switchport

switchport mode trunk

switchport trunk allowed vlan 10-20

monitor session 1

source interface Ethernet2/1 both

destination interface Ethernet2/2

filter vlan 15-20

no shut

Configuring a SPAN Monitor (CPU Source)

monitor session 1 type local

source cpu rp rx

destination interface Gi2/2

no shutdown

monitor session 1

source interface sup-eth0 rx

destination interface Ethernet2/2

no shut

Verification Command Comparison

The following table compares some useful show commands for verifying and troubleshooting the SPAN feature.